Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAPS

34 views
Skip to first unread message

Helmut Schneider

unread,
Mar 20, 2009, 11:30:56 AM3/20/09
to perl...@perl.org
Hi,

I ran Net::LDAP on 5 Servers, 2*OpenBSD, 3*FreeBSD. I'm using it to connect
to an MS Active Directory. Everything was fine, also connecting via LDAPS.

Now I switched the 2 OpenBSD computers to FreeBSD and I'm not able to
connect via LDAPS anymore. LDAP is fine.

The code is:

our $scheme = "ldap";
our $dnsDomain = "domain.tld";
$_conn = Net::LDAP->new($dnsDomain, scheme=>$scheme) or die "Couldn't
connect to '$scheme://$dnsDomain' for domain '$_dnsDomain' using searchbase
'$_searchbase'. $!!\n";
$_conn->bind($ldapBindUser, password=>$ldapBindPass) or die "Couldn't bind
to '$scheme://$dnsDomain' for domain '$_dnsDomain' using searchbase
'$_searchbase'. $!!\n";

If I switch to

our $scheme = "ldaps";

I get the error:

Couldn't connect to 'ldaps://domain.tld' for domain '' using searchbase
'CN=Partitions,CN=Configuration,DC=domain,DC=tld'. Invalid argument!

According to tcpdump there are no pakets transmitted at TCP 636.

But again, the 3 other FreeBSD machines do fine using LDAPS. What did I
miss?

Thanks, Helmut

Don C. Miller

unread,
Mar 20, 2009, 11:57:06 AM3/20/09
to Helmut Schneider, perl...@perl.org
Helmut, try connecting with debugging on and see what is happening. Also, try using ldapsearch in verbose mode. It might give you good information about the connection as well.

Don

________________________________

Helmut Schneider

unread,
Mar 20, 2009, 12:23:58 PM3/20/09
to Miller, Don C., perl...@perl.org
LDAPSHow do I turn on debugging for Net::LDAP? Also, I'm not familiar with
the ldapserach syntax, but:

[root@mx1 ~]# ldapsearch -h domain.tld -Z
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[root@mx1 ~]#

This "error" also displays on hosts where Net::LDAPS runs fine so I guess
it's not related to the problem. BTW, I'm using a self signed CA if this is
relevant.

----- Original Message -----
From: Miller, Don C.
To: Helmut Schneider ; perl...@perl.org
Sent: Friday, March 20, 2009 4:57 PM
Subject: RE: LDAPS


Helmut, try connecting with debugging on and see what is happening. Also,
try using ldapsearch in verbose mode. It might give you good information
about the connection as well.

Don

From: Helmut Schneider [mailto:jump...@gmx.de]

Chris Ridd

unread,
Mar 20, 2009, 3:05:55 PM3/20/09
to Helmut Schneider, Miller, Don C., perl...@perl.org

On 20 Mar 2009, at 16:23, Helmut Schneider wrote:

> LDAPSHow do I turn on debugging for Net::LDAP? Also, I'm not
> familiar with the ldapserach syntax, but:

Call $ldap->debug(n) - n is a mask of debug flags described in the
docs. But as it is mainly for debugging LDAP PDUs, it isn't going to
help if you've got transport level problems.

> [root@mx1 ~]# ldapsearch -h domain.tld -Z
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ldap_bind: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> [root@mx1 ~]#
>
> This "error" also displays on hosts where Net::LDAPS runs fine so I
> guess it's not related to the problem. BTW, I'm using a self signed
> CA if this is relevant.

That's probably not related/relevant at this point.

A problem like this came up last year. Searching my list archives for
"IO::Socket::SSL Timeout" I think it got resolved by updating the
IO::Socket::SSL package. I don't follow that package closely to know
what might have changed...

Cheers,

Chris

Helmut Schneider

unread,
Mar 22, 2009, 6:44:37 AM3/22/09
to Chris Ridd, Miller, Don C., perl...@perl.org
From: "Chris Ridd" <chri...@mac.com>

> A problem like this came up last year. Searching my list archives for
> "IO::Socket::SSL Timeout" I think it got resolved by updating the
> IO::Socket::SSL package. I don't follow that package closely to know what
> might have changed...

It is most recent, 1.23.

But I got it: Using plain LDAP Net::LDAP (or IO::Socket) by default tries to
connect using IPv4. When one switches to LDAP-SSL it by default tries to
connect using IPv6! And when the connection over IPv6 fails (here a packet
filter) it does not fall back to IPv4 but failes with "Invalid argument".
Verified using tcpdump. Reconfigured the packet filter, works fine now. One
probably might also use inet6=>0 but if IPv6 is available...

BTW, on the old OpenBSD machines p5-IO-Socket-SSL-1.12 was installed. And
from the changelog:

v1.16_1 2008.09.19
- better support for IPv6:
- IPv6 is enabled by default if IO::Socket::INET6 is available

Thanks for the food for thoughts. HTH others, Helmut

0 new messages